Bug 1195465

Summary: update to lighttpd-1.4.64-bp153.2.3.1.x86_64 breaks userdir public_html
Product: [openSUSE] openSUSE Distribution Reporter: Dirk Weber <d_werner>
Component: SecurityAssignee: Andreas Stieger <Andreas.Stieger>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: Andreas.Stieger, jsegitz, meissner
Version: Leap 15.3   
Target Milestone: ---   
Hardware: x86-64   
OS: openSUSE Leap 15.3   
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Dirk Weber 2022-02-02 20:34:10 UTC
After todays maintenance Update to 
userdirs (public_html) are no longer accessible via lighttpd.

Urls in the style
now result in an error message (404).

The problem seems to be caused by the hardening settings in the new

It now contains additionally:

# added automatically, for details please see
# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
# end of automatic additions 

Creating a 
without these settings - this means to fall back to the old services file -
 and disable/enable the service in order to update the links and restart it restores the functionality.

With just disabling 
and keep the other hardening settings active the
access also works.

So ProtectHome=true seems to be the culprit in this case.
Comment 1 Dirk Weber 2022-02-02 21:52:43 UTC
After checking options for ProtectHome on 
I found read access to the home directories public_html is also working with:
Maybe this is a better setting for lighttpd than to drop it completely.

Just as cross-reference: added this bug to bug 1181400 and set to security as these hardening seems to be added automatically.

BTW: I also already observed this problem on Tumbleweed for some weeks but did not have time to track it down. I suspected it was caused by a change in lighttpd's configuration files and failed to get it to work by just modifying those and incorparate the changes from the rpmnew files.
Comment 2 Johannes Segitz 2022-02-03 07:42:13 UTC
Yes, ProtectHome=read-only is a better setting. Thanks for reporting this here, I'll submit a fix
Comment 3 Marcus Meissner 2022-02-03 13:43:02 UTC
i think andreas submitted the maintenance update, cc
Comment 4 Andreas Stieger 2022-02-03 17:13:23 UTC
submitted to Tumbleweed and Leap
Comment 5 OBSbugzilla Bot 2022-02-03 17:50:05 UTC
This is an autogenerated message for OBS integration:
This bug (1195465) was mentioned in
https://build.opensuse.org/request/show/951357 Factory / lighttpd
https://build.opensuse.org/request/show/951358 Backports:SLE-15-SP3 / lighttpd
Comment 6 Swamp Workflow Management 2022-02-07 08:17:09 UTC
openSUSE-RU-2022:0029-1: An update that has one recommended fix can now be installed.

Category: recommended (moderate)
Bug References: 1195465
CVE References: 
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP3 (src):    lighttpd-1.4.64-bp153.2.6.1